Twitter Asks Users to Change Passwords After Finding Internal Log Bug

Twitter is asking its more than 330 million users to change their passwords after it discovered a bug within one of its internal logs.

On 3 May, CTO Parag Agrawal announced the discovery of a weakness that had undermined Twitter’s secure storage of users’ passwords. He explained that Twitter uses the bcrypt cryptographic hashing algorithm to convert each member’s password into a series of numbers and letters. Agrawal said that the company then stores that data sequence within its systems and uses it to validate members’ credentials without exposing their passwords.

The bug disrupted this process, however. Agrawal identified exactly how in a blog post:

Due to a bug, passwords were written to an internal log before completing the hashing process. We found this error ourselves, removed the passwords, and are implementing plans to prevent this bug from happening again.

Twitter’s CTO didn’t say exactly how many users the flaw affected. Other reports indicated the bug’s impact could extend to all of Twitter’s more than 330 million members.

Given the nature of the flaw, Agrawal urged all users to “consider” changing their passwords. The company did not issue a hard reset of members’ credentials, presumably because it found no “indication of a breach or misuse by anyone” at the time of discovery.

We recently found a bug that stored passwords unmasked in an internal log. We fixed the bug and have no indication of a breach or misuse by anyone. As a precaution, consider changing your password on all services where you’ve used this password. https://t.co/RyEDvQOTaZ

Users of the social media platform shouldn’t leave anything up to chance. They should use these experts’ advice to replace their existing password with a strong combination. That means they should change their password for all of their accounts across which they reused their Twitter credentials. Ideally, they should set a unique password for each of their web accounts and store them using a password manager.

Twitter members should also considering activating additional security measures on their profiles. In particular, they should enable login verification, or Twitter’s version of two-factor authentication (2FA). They can learn more about this feature here.